​Apple tells devs to validate Xcode after App Store malware breach

Share this…

Apple has reminded developers to verify their copy of Xcode before submitting iOS apps, but it probably won’t stop Chinese developers from using pirated versions of the free software.

After the App Store found itself harbouring malware stemming from counterfeit copies of Xcode, Apple has reminded developers to make sure they’re using the company’s own software for creating iOS and OS X apps.

iOS malware was found in the App Store earlier this month after developers in China used tainted copies of Xcode downloaded from non-Apple servers in the country when building their apps. Researchers at Palo Alto Networks found 39 iOS apps in the App Store infected with malware as a result, putting iPhone users in China at risk. In the following days, Chinese researchers claimed to have found nearly 4,000 more infected apps.

iOS and OS X

Apple this week told Reuters that it was working with developers to make sure they’re using the proper version of Xcode to rebuild any infected apps, with victims including WeChat, PDF Reader, WinZip, Pocket Scanner, CamCard, and others.

On Tuesday the company extended the advice to all developers, urging them to stay within Apple’s software ‘walled garden’.

“You should always download Xcodedirectly from the Mac App Store, or from the Apple Developer website, and leave Gatekeeper enabled on all your systems to protect against tampered software,” Apple said.

Gatekeeper was introduced by Apple for OS X in 2012 as a way of verifying that an app isn’t known malware and that it hasn’t been tampered with. It’s been found not to be entirely foolproof but at least requires developers to sign their apps with a Developer ID supplied by Apple. The default setting in OS X 10.10.5 Yosemite is for Gatekeeper to be enabled, which restricts downloads to the Mac App Store and identified developers.

“When you download Xcode from the Mac App Store, OS X automatically checks the code signature for Xcode and validates that it is code signed by Apple. When you download Xcode from the Apple Developer website, the code signature is also automatically checked and validated by default as long as you have not disabled Gatekeeper,” Apple said on Tuesday.

As some security experts have noted, however, it’s very likely that developers in China will still turn to pirated copies of Xcode despite the fact the legitimate software is available free from Apple, as China’s internet filter makes it impractical to download files from servers hosted outside the country.

Dave Aitel, founder of ImmunitySec, this week relayed his account of a visit to a partner in China and said he believes Apple will see a repeat of the Xcode incident because of the impact China’s internet filter has on download speeds when files are located outside of the country.

“When we asked one of our partners (a major Chinese company you would have heard of even here) to download VMWare Player (which is free), he immediately reached out to one of the Chinese pirate sites to grab an old copy of cracked VMWare Workstation. He was not wrong: Actually browsing to VMWare.com itself would have taken literally forever, even though he is connected at his desk to one of the fastest networks on Earth,” wrote Aitel.

He continued: “Not only is the recent XCode hack going to happen again and again, it is in some ways a uniquely Chinese problem and allows them to pressure Apple and similar companies to put infrastructure inside China to solve, which is interesting.”

Apple, however, does provide Terminal commands to verify the identity of the copy of Xcode in scenarios where developers download Xcode from sources other than Apple, such as a USB drive or over a local network.